Search This Blog

Tuesday, December 7, 2010

The Julian Assange theater from an IT security perspective

I think the world of media has been taken hostage by an attention seeker...or maybe the media empires have decided to use an attention seeker to spice up their news. The second scenario seems more probable, even if it seems to be a cynical view.

I am NOT against Wikileaks. I find it useful as a third resource of evidence-based news records, which can help to cross-reference bits of information, when in doubt about various news bits coming from other sources. Despite the fact that sometimes I (and many others) question the source ethics and the authenticity of its published records. This seems to be a general problem with the Internet. It contains a lot of information, but not all of it is credible or useful. The recent diplomatic cable leaks may serve as evidence of various foreign policy misconducts, but if I raise the question "Does a reasonably educated and well informed person need Wikileaks to know the deal behind the US foreign policy, to infer the ties between China and North Korea?", the answer I will expect is a definitely negative. Thus, I question the noise made behind the Wikileaks "revelations".

In fact, I have financially supported Wikileaks (before their accounts where shut down). What I am really against is the behaviour of its founder, for various reasons.

Julian Assange has a background of ethical hacking. There is no universal definition of the term "ethical hacker". I tend to think of it as a reference to a person with advanced technology skills, that puts them into good use to reveal the truth or inform people about potentially harmful situations, seeking no financial gain or other rewards from any affected parties. In the information security world, we have the classical argument of software vulnerability disclosures. Some people argue that all vulnerabilities should be made public, whereas others disagree and are of the view that vulnerabilities should be disclosed only to a limited number of parties, on a strict need-to-know-to-fix basis. Personally, I support the second view, and I never disclosed software vulnerabilities in public.

If I draw a parallel line to the software vulnerability disclosure issue, it would run along the Wikileaks disclosure of vital US sites around the world. I strongly dislike this action, even if I am not a US citizen (or US Government employee). The reason is simple and it has nothing to do with the breaching of any National Security policy. After all, if someone is really determined to do something nasty, surely they will find the resources to do harm without the Wikileaks disclosures. However, any reasonable person understands that revealing strategic infrastructure locations (some of which are not only US based, but they serve collectively many nations) is an act that adds very little to the truth. It is simply a reckless action, bound to also draw the attention of less serious folk with malicious intent.

An equally noteworthy issue with the Wikileaks case is that of the Denial of Service (DoS) attacks they had on their domain. I am not sure whether the slowness experienced on their domain was due to persistent DoS attacks or simply by the strong demand (probably by both) in anticipation of the forthcoming document leaks, but this is a strong lesson in distributing important information in a scalable and secure way. This seems to be the job of Peer to Peer (P2P) protocols and not a number of static HTTP/FTP servers mirrored around the world, which is the usual approach. Torrents distributing the content were of course active from day 1.

My final comment concerns the good old face value of the information origin. I will use an example that comes from the Linux/Unix sysadmin world. Every security conscious sysadmin (and user) that uses third party binary package repositories makes sure to validate them via either a secure hash algorithm based key (MD5, SHA) or public repository key prior installing them into computer systems. These mechanisms make it more difficult for someone to maliciously alter the contents of the binary package and make you install something nasty in your computer. However, they are not a panacea. We have had cases where world famous open source packages have been compromised. Nevertheless, this is a rare event, and each time we download a Linux kernel, an Apache binary or our latest IDE from our Linux distribution, we trust that the keys have not been compromised. This trust is there because we know that our favourite Linux distribution has capable folk to look after security issues, so we do use the good old face value rule.

Wikileaks has appeared so far to be a human-centric entity around the face of Julian Assange. Hence, it would be fair to say that Julian represents to the world the face value of Wikileaks, even if there are probably dozens of people behind the scenes that work to make Wikileaks tick.

It is also understandable that people that reveal the truth are also the subject of massive attacks at every level. Mr Assange had been hiding for quite a long time. I find that a bit odd. If Bob Woodward and Carl Bernstein managed to stay alive by revealing one of the largest scandals of the US political history during the horrible Nixon era, I am sure Assange could find ways not to hide. In the same way, I am sure that the lack of transparency and instant communication during the Nixon times could make it easier for someone to attack journalists then. And they did, but somehow, the journalists and the papers stood up to the challenge. No hiding was necessary.

In the same way, if Assange is not willing to understand that he has to face the Swedish prosecutors and clear his name, he will never gain the face value he needs to be trusted. Sweden is not known to be a corrupted state, so if the "rape" and "sexual misconduct" allegations are constructed to halt him down and he cares about the truth, he should raise to the challenge and pass the public face of Wikileaks to someone else. Sooner or later, he will face the facts.

3 comments:

1. About "the noise made behind the Wikileaks revelations": Wikileaks has not only helped to "infer" things that a "well informed person" should know. Wikileaks has shown: Some information unknown by the public (did you know that USA politicians threatened spaniards to get contracts for General Electric? or to made trials against Bush officers stop?) plus the names of the people involved, which I really hope have consequences for the political career of a lot of traitors in many countries. It is very different knowing that there are crimes in every war to having a video of a helicopter shooting civilians.2. Assange's personality has been necessary in this case. If Bradley Manning sends the information straight to the New York Times nothing would have happened. All this noise has been necessary to propagate the information. Watergate is nothing compared to this: not in how bad the information is, and not in how the government of the USA is acting. Mike Huckabee asked for Assange's execution; many people in the USA are suggesting formulas to stop him; and they probably will.3. "Banana Republic" is a very pejorative term that you shouldn't use, rooted not only in the fact that some caribbean countries were banana producers but also that the United Fruit Company, backed up by the USA, had the power of control governments and armies and sponsor coups in those countries. Sweden might not produce banana but you could "infer" USA's hands there. Btw, a leak of who in the United Fruit Company (today, Chiquita Banana) ordered the colombian army to kill thousands of demonstrators during 1928, would have been of a big historical value.

1. Indeed, wikileaks has shown things. However, there is a difference between showing something that can be logically inferred by a reasonably informed person and showing something really unexpected. The noise was made more for expected things, which is my comment. 2. Noise is good, I do not dislike noise. What I really dislike is the fact that Wikileaks had a certain human centric character around Assange's personality. This is unfair (to the people that work behind the scences to make things happen) and eventually can become a problem. It would be fair to say that if there were more public faces that could take over the opetations and leadership (temporarily until Assange clears his name), it would be more difficult to halt Wikileaks funding and direct attacks to the operation in general. 3. You are probably right. I will change the term. Thanks.